SINGAPORE:
The Ministry of Interior and Defence (Mindef) will be inviting about 300
international and local hackers to hunt for vulnerabilities in its
Internet-connected systems next year (2018), in a bid to guard against
ever-evolving cyber threats.
From
Jan 15 to Feb 4, these selected experts will try to penetrate eight of Mindef's
Internet-facing systems, such as the Mindef website, the NS Portal and LearNet
2 Portal, a learning resource portal for trainees.
--------------------------------------------
RELATED POSTS
--------------------------------------------
These
registered hackers can earn cash rewards - or bounties - between $150 and
$20,000, based on how critical the flaws discovered are. Called the Mindef Bug
Bounty Programme, it will be the Government's first crowdsourced hacking
programme.
This
follows an incident earlier this year when Mindef discovered that hackers had
stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel
through a breach of its I-Net system.
One
of the systems being tested, Defence Mail, uses the I-Net system for Mindef and
SAF personnel to connect to the Internet.
On
Tuesday (Dec 12), defence cyber chief David Koh announced the new programme
after a visit to the Cyber Defence Test and Evaluation Centre (CyTEC) - a cyber
"live-firing range" where servicemen train against simulated cyber-attacks
- at Stagmont Camp in Choa Chu Kang.
--------------------------------------------
UPDATES: “Ransomware assaults seem to be getting increasingly dangerous,”
said Marty P. Kamden, CMO of NordVPN. “Besides, system administrators are not
ready to protect their networks from more sophisticated breaches. We believe
that attacks will only keep getting worse.”
--------------------------------------------
On
the significance of the "Hack Mindef" initiative, he told reporters:
"The SAF is a highly networked force. How we conduct our military
operations depends on networking across the army, navy, air force and the joint
staff.
"Every
day, we see new cyber attacks launched by malicious actors who are constantly
seeking new ways to breach our systems... Clearly, this is a fast-evolving
environment and increasingly, you see that it is one that is of relevance to
the defence and security domain."
The
bigger picture is that cyberspace is emerging as the next battlefield, said Mr
Koh, who is also deputy secretary for special projects at Mindef.
"Some
countries have begun to recognise cyber as a domain similar to air, land and
sea. Some have even gone so far as to say that the next major conflict will see
cyber activity as the first activity of a major conflict," he added.
#Infosec #Cybersecurity -- "#Hackers are breaking systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, Now #hacking is big business" I pointed this out to the special group I was addressing on Thursday. pic.twitter.com/1zHymyWb0L— YUSUPH KILEO (@YUSUPHKILEO) December 17, 2017
While
there will be some risks in inviting hackers to test the systems, such as an
increase in website traffic and the chance that these "white hat"
hackers will turn over discovered vulnerabilities to the dark Web, measures
will be put in place.
"(If)
we can't even manage the increase in traffic, that in itself would be a
vulnerability that we would need to address," said Mr Koh.
White-hat
hackers are those who break into protected systems to improve security, while
black-hat hackers are malicious ones who aim to exploit flaws.
The
programme conducted by US-based bug bounty company HackerOne is expected to
cost about $100,000, depending on the bugs found. But Mr Koh noted that this
would be less than hiring a dedicated vulnerability assessment team, which
might cost up to a million dollars.
Mr
Teo Chin Hock, deputy chief executive for development at the Cyber Security
Agency (CSA), said: "By embarking on a bug bounty programme, companies
have the advantage of uncovering security vulnerabilities on their own by
harnessing the collective intelligence and capabilities of these experts and
addressing these vulnerabilities before the black hats do."
In
a statement, he added that the CSA is currently in discussions with some of
Singapore's 11 designated critical information infrastructure sectors which
have expressed interest in exploring a similar programme for their
public-facing systems.
Large
organisations, such as Facebook and the United States Department of Defence,
have embarked on similar initiatives with some success.
For
instance, a similar Hack the Pentagon programme, also conducted by HackerOne,
was launched by the US defence department in 2016. A total of 138 bugs were
found by more than a thousand individuals within three weeks.
The
initiative caps a year in which Singapore has been gearing up for the
battlefront in cyberspace.
In
March, it was announced that the Defence Cyber Organisation will be set up to
bolster Singapore's cyber defence, with a force of cyber defenders trained to help
in this fight.
Thanks for sharing, your post very informative. Top 10 Ethical Hackers in World
ReplyDelete